Crack users passwords on 2003 Domain Controller

take that this question might be against the EE policies! so don't expect ready to use suggestions.

Using a password cracker against the SAM file should be sufficient. Think you know how to search the web for other tools ;-)

if you have the sam file thats all you need.  

LC5 will do the trick.

This is a legit security question and shouldn't be against any EE policies. I am the administrator and I need a way to audit passwords so that our users will learn to select better passwords than lame easy ones that can fall prey to a dictionary type attack. In my case its not as simple as reconfiguring the Default domain policy (W2003) to only allow strong passwords. There would be utter choas and it would be a head on stick senoiro. My plan is to create a script that emails the user to change their password with in a week or so if they dont change it ill have a password auto-generated and a ds tool would finish the job; a email would be sent to the user that their password will be changed the following week. Problem solved in my eyes. Then once everyone is using good passwords I can change the default domain policy back to enforcing strong passwords.

It may inconvinience some users when they are told to change their password to something more complex but thats life and they will have to accept that. What if during these weeks that your slowly migrating things across and emailing users somebody does actually manage to hack into your system using an easy to guess password and gets hold of confidential information, I think that would be a much more 'head on stick scenario'.

I can understand where your comming from not wanting to migrate things across straight away but at the end of the day part of your job is making sure that the data on the network is kept secure and if doing that temporarily inconviniences some users then so be it. I would suggest that most people won't object to the move as they will realise its in their best interests.

well i think you have most of the bases already covered. the SAM is gonna be the target for obtaining passwords. this run against LC5.

other common weaknesses that are exploitable all the way up to the latest service pack, DCOM RPC, LSASS are the main 2 im seeing used. i have a working copy of the DCOM RPC and i was able to get root and send the SAM without the 2K SP4 server showing an active connection (except in netstat and sniffers).

other password issues would be a client being compromised and a sniffer installed as MITM for gathering passwords.

ethereal is what i use for sniffing.

Microsoft Baseline Security is a Windows network vulnerability tool.  It's free and will assess your Windows network for vulnerabilities:  lack of OS/APP updates, unneccessary running services, WEAK PASSWORDS, etc.  

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Good Luck

Try this:

http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/index.php

>>This is a legit security question and shouldn't be against any EE policies. I am the administrator and I need a way to audit passwords so that our users will learn to select better passwords than lame easy ones that can fall prey to a dictionary type attack.

Then do a dictionary attack and you'll find the bad ones.
If you really want to crack the passwords using a brute force tool you will eventually get ANY password....

>If you really want to crack the passwords using a brute force tool you will eventually get ANY password....

ALT code pass's, espically ALT+255 passwords cannot be cracked, give it a try
hold the alt key and on the number pad type 255, that one charcter pass cannot be cracked by any of the password crackers I've ever found.
But alt code passes aren't good to use, since you can't send them to an IIS login, or if using vnc or other remote control software.

Just FYI.
-rich

LOL I only knew that one as ALT+0160...

It CAN however be cracked!
Rainbowtables can include all the altcodes though...
at least if I remember corretly they can.

Lastly... if you are afraid of passes being insecure and want to crack em for that reason.... the ones you can't get don't need to get cracked :)

> .. the ones you can't get ..
there're no passwords which can't be cracked :-D

And if there are passwords which cannot be cracked it means they cannot be cracked right now.
Time is against all security.

Just some more info to get you paranoid :)

> .. get you paranoid ..
right now I'm ;-)

I'm not...
I can see what you're doing so I'm not afraid ;)

If you load that password of the single char of alt+255 into L0pht, or john, or other "conventional" password cracker, they ALL think the pass is 3 chars long. I've used every tool I can to find the correct HEX code for the keystroke ALT+255 (every keylogger, fakeGina, SoftIce etc...) and I've yet to find out how to do it with ALT+255 only. It's an UNprintable ascii code, but it must have a hex value, if it did- THEN perhaps it would be able to be added to the char list of rainbow/ophcrack.
Again this doesn't work for other OS's it seems to be a windows thing... this is way off topic and we are wasting the author's time with this discussion. If you figure out the hex code of the "character" ALT+255 you let me know, it's not as simple as you think... change your font, and you change the hex code...
I'm closing my trap now.
-rich

> ALT+255
0xff

I wish that were it! And if it is... doesn't work in john, l0pht or rainbow/ophcrack.
-rich

pwdump and LC5 should work just fine. But the best thing to do is disable LM hashing on the 2003 server in the first place. That's one of the first things I do when deploying a new domain controller.
http://emea.windowsitpro.com/Windows/Article/ArticleID/43416/43416.html

Thanks guys!!!!!!!!!

http://plain-text.info/

Saves you time and effort dealing with the Rainbow tables.  If you have the hash, plug it into this site, and it will give you the password.